Revision as of 08:15, 9 January 2009

Preface

Code reviews vary widely in their level of formality. Reviews can be as informal as inviting a friend to help look for a hard to find bug or they can be as formal as a software inspection process with trained teams, assigned roles and responsibilities, and a formal metric and quality tracking program.

In Peer Reviews in Software, Karl Wiegers lists seven review processes from least to most formal:

Ad hoc review

Passaround

Pair programming

Walkthrough

Team review

Inspection

Mature Secure Code Review (SCR) Model

Throughout the SDLC there are points at which an application security consultant should get involved. These "touch points" can be used to investige the status of the code being developed from a security standpoint. The reason for interviening at regular intervals is that potential issues can be detected early on in the development life cycle and hence the total cost of ownership (TCO) is less in the long term.

Waterfall SDLC exmaple

Requirements definition

Functional specification

Design

Detailed design specification

Development

Coding

Unit tests

Test

Functional testing

System testing

Integration testing

UAT (User acceptance testing)

Deployment

Change control

Maintenance

Minimal Resource Available Code Review for Web Applications Model

Very often, risk managers are tasked to manually code review large applications with minimal time and resources. This guide will focus on streamlining the manual code review process and outline the bare minimal essentials that are required for review.